The Decline and Fall of Slammer?

Me and Slammer (Helkern) go back a long way… to 25 January 2003 to be precise. It was a baptism of fire for me in my new role as a virus analyst at Kaspersky Lab. It was a weekend and I was alone, in charge of monitoring the incoming flow of suspicious files. I had barely been at the company a month.

On that day the Internet suffered one of the biggest virus epidemics in its history – within the space of just fifteen minutes a worm using a vulnerability in MS SQL Server infected hundreds of thousands of computers worldwide and knocked out the Internet in South Korea for a few hours.

Those 376 bytes were the implementation of a so-called ‘bodyless’ virus, which does not write itself to the system but only stays in the operational memory.

That was more than 8 years ago, but Slammer is still hanging around and is constantly among the leaders in our network attack ratings. Millions and billions of malicious packets are sent out each day searching for victims and generating a considerable amount of junk traffic.

Then something strange happened on 9 March 2011. Our automated threat analysis system, Kaspersky Security Network, recorded a significant drop in the number of attacks. We received the data from our IDS (Intrusion Detection System) module which monitors network attacks. The system also determines the source of an attack.

Take a look at the following graph:

You can see that over the last few months the number of machines sending out packets of this worm has fluctuated dramatically, but never dropped below 200000 unique hosts in a single day. On 9 March, however, the number fell virtually ten-fold and currently stands at around 15000 unique hosts per day. At first we suspected that this sharp decline was the result of numerous Internet channels being disabled following the earthquake in Japan. That theory was soon rejected, however. Prior to Slammer’s decline we recorded just 150 or so infected machines. After 11 March that number fell to 35, but clearly this had no bearing on the overall change in the number of sources that ran into hundreds of thousands.

The second theory is based on the fact that the worm started disappearing on the same day the latest patches were released from Microsoft. This appears a possibility, but not one of the patches released that day had anything to do with MS SQL. Moreover, the computers that are acting as a source of the worm are obviously not being updated because the worm manages to use a vulnerability that dates back to 2002.

Another theory suggests that a major Internet provider has started filtering port 1434 traffic (the port used by the worm). But there has yet to be any confirmation of this. Here is a list of the 10 leading countries/regions in terms of attacks as of on 8 March:

This is what the same 10 entries looked like on 12 March:

The biggest drop was seen on the Chinese mainland, but the downward trend was repeated in Russia, Brazil, the USA and Spain. The odd one out is Taiwan, where an increase was recorded. These statistics also put paid to the major provider theory, because there is no known provider that operates in all these countries.

Data from the SANS Institute also confirms the fall in the number of attack sources:

UPDATE: A decade ago this week, Chairman Bill Gates kicked off the Trustworthy Computing Initiative at Microsoft with a company-wide memo. The echoes of that memo still resonate throughout the software industry today as other firms, from Apple to Adobe, and Oracle to Google have followed the path that Microsoft blazed over the past ten years.

[img_assist|nid=7144|title=|desc=|link=none|align=left|width=100|height=100]By David LitchfieldOn Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft’s SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by the researcher who found the bug and wrote the exploit code that was later taken by Slammer’s authors and used as part of the worm.

A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. The evidence for...

Cybercriminals go at great lengths to throw researchers off their scent, but just like in the "offline" crime world they make errors and leave peculiar traces behind, making them look a bit silly, whi...

By Maria Karnaukh Genius is often simple. Those ideas that ultimately reap millions of dollars are usually found hiding in plain view – unnoticed until their time is right. Here are several examples o...